Tuesday, March 18, 2025
HomeAWSBybit Hack: Details of Sophisticated Multi-Stage Attack Uncovered

Bybit Hack: Details of Sophisticated Multi-Stage Attack Uncovered

Published on

SIEM as a Service

Follow Us on Google News

The Bybit hack, which occurred on February 21, 2025, has been extensively analyzed by multiple cybersecurity teams, including Sygnia.

This attack exposed significant security vulnerabilities across various domains, including macOS malware, AWS cloud compromise, application security, and smart contract security.

The incident involved unauthorized activity in Bybit’s Ethereum (ETH) cold wallets, where an ETH multisig transaction was manipulated through Safe{Wallet} from a cold wallet to a warm wallet, allowing attackers to siphon funds.

Attack Timeline

The earliest known malicious activity began on February 4, 2025, when a Safe{Wallet} developer’s macOS workstation was compromised, likely through social engineering.

This led to the theft of AWS access tokens, which were used to access Safe{Wallet}’s AWS infrastructure between February 5 and February 21.

Bybit Hack
Snippet from Mandiant report shared by Safe{Wallet}

During this period, attackers operated within the infrastructure, although specific details of their activities remain limited.

On February 19, JavaScript resources hosted on an AWS S3 bucket serving Safe{Wallet}’s web interface were modified with malicious code.

According to Sygnia Report, this code was designed to manipulate transactions specifically targeting Bybit’s cold wallet.

On February 21, Bybit initiated a transaction using Safe{Wallet}’s interface, which was manipulated by the attackers, allowing them to transfer over 400,000 ETH without requiring additional multisig approval.

Tactics

The attackers leveraged a delegate call mechanism in smart contracts to replace the original contract implementation with a malicious version.

This introduced sweepETH and sweepERC20 functions, enabling the unauthorized transfer of funds.

Following the transaction, the malicious code was quickly removed from the JavaScript resources, likely in an attempt to cover their tracks.

The attack has been attributed to the Lazarus Group, also known as TradeTraitor or UNC4899, a threat actor linked to the Democratic People’s Republic of Korea (DPRK).

This attribution was confirmed by both the FBI and Mandiant.

The Bybit hack highlights the lack of standardized security standards in the crypto industry, unlike traditional banking, which adheres to strict regulations.

This lack of oversight leaves the industry vulnerable to sophisticated attacks.

The incident also underscores the importance of comprehensive forensic investigations and transparency in disclosing attack vectors to enhance industry-wide defenses against such threats.

The Bybit case sets a precedent for detailed forensic transparency, which is crucial for exposing attackers’ tactics and enhancing industry defenses.

Given the high financial incentives of crypto heists, security teams must remain vigilant and proactive in developing adaptive defenses against evolving threats.

Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.

Aman Mishra
Aman Mishra
Aman Mishra is a Security and privacy Reporter covering various data breach, cyber crime, malware, & vulnerability.

Latest articles

Electromagnetic Side-Channel Analysis of Cryptographically Secured Devices

Electromagnetic (EM) side-channel analysis has emerged as a significant threat to cryptographically secured devices,...

MirrorGuard: Adaptive Defense Mechanism Against Jailbreak Attacks for Secure Deployments

A novel defense strategy, MirrorGuard, has been proposed to enhance the security of large...

New ClearFake Variant Uses Fake reCAPTCHA to Deploy Malicious PowerShell Code

A recent variant of the ClearFake malware framework has been identified, leveraging fake reCAPTCHA...

New BitM Attack Enables Hackers to Hijack User Sessions in Seconds

A recent threat intelligence report highlights the emergence of a sophisticated cyberattack technique known...

Supply Chain Attack Prevention

Free Webinar - Supply Chain Attack Prevention

Recent attacks like Polyfill[.]io show how compromised third-party components become backdoors for hackers. PCI DSS 4.0’s Requirement 6.4.3 mandates stricter browser script controls, while Requirement 12.8 focuses on securing third-party providers.

Join Vivekanand Gopalan (VP of Products – Indusface) and Phani Deepak Akella (VP of Marketing – Indusface) as they break down these compliance requirements and share strategies to protect your applications from supply chain attacks.

Discussion points

Meeting PCI DSS 4.0 mandates.
Blocking malicious components and unauthorized JavaScript execution.
PIdentifying attack surfaces from third-party dependencies.
Preventing man-in-the-browser attacks with proactive monitoring.

More like this

Electromagnetic Side-Channel Analysis of Cryptographically Secured Devices

Electromagnetic (EM) side-channel analysis has emerged as a significant threat to cryptographically secured devices,...

MirrorGuard: Adaptive Defense Mechanism Against Jailbreak Attacks for Secure Deployments

A novel defense strategy, MirrorGuard, has been proposed to enhance the security of large...

New ClearFake Variant Uses Fake reCAPTCHA to Deploy Malicious PowerShell Code

A recent variant of the ClearFake malware framework has been identified, leveraging fake reCAPTCHA...